Authorization Core vs. Authorization Extension
We plan to deprecate Rules and Hooks in 2024, and at that time, Rules and Hooks-based Extensions will be out of support. We highly recommend that you migrate to Actions to extend Auth0. With Actions, you have access to rich type information, inline documentation, and public npm packages, and can connect external integrations that enhance your overall extensibility experience.
To learn more about what Actions offer, read Understand How Auth0 Actions Work. We also have a dedicated Move to Actions page that highlights feature comparisons, an Actions demo, and other resources to help you on your migration journey.
To read more about the Rules and Hooks deprecation, read our blog post: Preparing for Rules and Hooks End of Life.
Auth0 currently provides two ways of implementing role-based access control (RBAC): our Core implementation and our Authorization Extension. Our Core implementation improves performance and scalability.
We recommend using Authorization Core for most implementations. If you are looking to represent teams, business customers, or partners in a B2B or SaaS application, we recommend representing them as Organizations and using Authorization Core. The Authorization Extension does not have support for Organizations.
To help you decide which feature is right for your implementation, we present the differences between the two:
| Feature | Authorization Core | Authorization Extension |
|---|---|---|
| Enhanced performance and scalability | Yes - Read Entity Limit Policy | No - Limited to 500KB of data (1000 groups, 3000 users, where each user is a member of 3 groups; or 20 groups, 7000 users, where each user is a member of 3 groups) |
| Create/edit/delete Roles | Yes | Yes |
| Roles can contain permissions from one or more APIs | Yes | No |
| Users and Roles can be assigned to Groups | No | Yes |
| Roles are attached to specific applications | No | Yes |
| Create/edit/delete Users | Yes | Yes |
| Search Users by user, email, connection | Yes | Yes |
| Search Users by identity provider, login count, last login, phone number | Yes | No |
| Search Users using Lucene syntax | Yes | No |
| User import/export via JSON | Not currently | Yes |
| Create custom authorization policies | Yes | No |